Fintech 2026 Comparisons

There have been significant changes in the fintech industry in Korea in recent years. Some of the key changes are as follows.

The most notable change is the amendment to the Electronic Financial Transactions Act (the “EFTA”) regarding payment gateway (PG) services. While PG services were previously subject to relatively loose regulations, the financial authorities have now codified a strict separation of settlement funds from a company’s operating capital.

Specifically, under the amended EFTA, PG service providers are required to deposit or entrust 100% of their settlement funds with external institutions, such as banks, or subscribe to payment guarantee insurance. Failure to comply will result in severe sanctions. In addition, the legal right for sellers to receive preferential payment of settlement funds – even in the event of a PG company’s bankruptcy – has been clearly established. Small business owners can benefit from a safer industry environment to expand their business channels with less concerns around liquidity issues of PG service providers.

The use of generative AI technology by financial institutions is expanding. In the past, the financial supervisory authorities have established frameworks for adopting AI technologies, such as the “Guidelines for AI Operations in Finance” and the “Manual for AI Development and Utilisation in Finance”. However, considering the widespread adoption of new technologies like generative AI and the passing of the Framework Act on the Development of Artificial Intelligence and Establishment of Trust (which came into force in January 2026), the regulators released a revised draft of the AI guidelines for the financial sector in late 2025. This revised guidelines iare scheduled to take effect in the first quarter of 2026 after taking into account the feedback from the financial industry.

The business models of fintech companies in Korea are continually evolving as they combine existing financial technologies with newly emerging financial innovations, such as digital banking, mobile/online payments, peer-to-peer (P2P) lending, robo-advisers, blockchain and cryptocurrencies, digital insurance platforms, open banking, algorithm trading, crowdfunding, AI-based financial services and super-applications.

Most recently, the strongest players emerging in the fintech sector have been internet-only banks, virtual asset service providers (VASPs) such as cryptocurrency exchanges, and electronic payment service providers, among others. Many of these emerging players were start-ups that have now become large companies.

Legacy players are also rapidly evolving by applying fintech business models to their existing licensed services. For example, commercial banks are providing banking and payment services on mobile/online platforms, while securities firms are offering investment products on mobile/online platforms and co-operating with multiple robo-adviser service providers to provide automated advisory services and AI-based asset management and research services. These legacy players are also constantly researching and attempting to apply blockchain technology to their legacy financial services.

Fintech business models in Korea should comply with the specific legislation that applies to them because of the nature of their business. They should also comply with existing financial legislation. Fintech companies may therefore be subject to various legislation depending on the nature of their business. The main verticals are as follows:

• Online/mobile payment service providers (other than banks) in e-commerce are regulated as prepaid/debit e-payment means or PG service providers under the EFTA.
• Internet-only banks without physical offices are regulated by the Banking Act, subject to specific special treatments relating to their licensing, governance and business activities pursuant to the Special Act on the Establishment and Operation of Internet-only Banks (the “Internet Bank Act”).
• P2P lending platform operators are regulated by the Online Investment-Linked Finance Act (the “P2P Lending Act”) in respect of their licensing and ongoing compliance.
• Robo-advisers are regulated under the Financial Investment Services and Capital Markets Act (the “FSCMA”).
• Algorithmic trading is subject to registration with the Korea Exchange (the “KRX”) pursuant to the KRX Business Regulations as well as the FSCMA.
• Cryptocurrency exchanges and digital wallet service providers are regulated as VASPs under the Act on Reporting and Using Specified Financial Transaction Information (the “AML Act”) in respect of their licensing and ongoing compliance including anti-money laundering obligations and the Act on the Protection of Virtual Asset Users (the “VAUPA”) in respect of their business activities and user protection.
• Insurtechs offering or brokering insurance products are regulated by the Insurance Business Act.
• MyData is regulated as a personal credit information management business under the Credit Information Use and Protection Act (the “CIUPA”).

In addition, the legislation that generally applies to fintech business models depending on their business elements are as follows:

• The Banking Act (if the company engages in accepting deposits from customers and providing loans).
• The FSCMA (if the company engages in investment dealing or brokerage, discretionary management or investment advice or if financial investment products such as securities or derivatives are involved).
• The Insurance Business Act (if the company sells insurance products).
• The Act on Registration of Money Lending Business and Protection of Finance Users (the “Lending Business Act”) (if the company engages in providing loans without engaging in accepting customer deposits).
• The Financial Consumer Protection Act (if the company engages in selling or advertising financial products, including loans and insurance products, to customers).
• The CIUPA (if the company engages in providing credit rating or credit information or is involved in the transfer of personal credit information).
• The Personal Information Protection Act (the “PIPA”) (in respect of the collection or transfer of personal information generally).
• The Act on Promotion of Information and Communications Network Utilisation and Information Protection, Etc (the “IT Network Act”) (if the company is an online service provider that is required to take certain information security measures).
• The Foreign Exchange Transactions Act (the “FETA”) (in respect of any payment between a Korean resident and a non-resident or any payment using a foreign currency).
• The Special Act on Support for Financial Innovation (in respect of the operation of the regulatory sandbox programme).

The compensation restrictions and disclosures under traditional financial regulations are applicable to fintech service providers as well.

For example, the Lending Business Act imposes a limitation on brokerage fees and restrictions on loan brokers that they may not receive brokerage fees from the users of lending services and should instead receive fees from the relevant credit financial institutions within the prescribed cap under the same Act.

Under the Financial Consumer Protection Act, if a financial product distributor solicits an ordinary financial consumer (or a retail investor) to conclude a contract or is requested by an ordinary financial consumer to provide an explanation, the financial product distributor should explain relevant fees in a way that an ordinary financial consumer can understand properly.

Financial investment service providers under the FSCMA may receive fees based on the size of the transactions or assets they manage. These fees may be disclosed in periodic reports submitted to the regulators or in securities registration statements filed in connection with public offerings. In specific cases, such as with investment advisory business, discretionary investment business and public offering funds, performance-based compensation may be prohibited.

Legislative bills on particular fintech business models contain provisions on fees. For example, the P2P Lending Act requires an online investment-linked financial business entity to provide information concerning fees and other incidental expenses through its online platform so that its users can easily understand it.

As mentioned in 2.2 Regulatory Regime, laws and regulations applicable to legacy players such as the Banking Act, the FSCMA, the Insurance Business Act and the Financial Consumer Protection Act apply equally to fintech companies. Additional laws and regulations relating to fintech business models, such as the EFTA, the Internet Bank Act, the P2P Lending Act and the AML Act, apply depending on the nature of the business activities.

These additional laws do not necessarily suggest the application of a more stringent regulatory framework. In some cases, the new legislation excludes the application of existing regulations, thereby allowing more flexible regulatory treatment for fintech companies. For example, while the Banking Act limits shareholding by non-financial dominant shareholders (industrial capital) in banks to 4%, the Internet Bank Act raises this limit to 34%, effectively excluding the application of the Banking Act’s restriction in this context.

To promote financial innovation, a regulatory sandbox programme was introduced in 2019. This programme fully or partially exempts eligible fintech companies from various restrictions and requirements under financial-related laws (including permits and approval requirements).

Under the Special Act on Support for Financial Innovation, financial services that are considered innovative in terms of their content, method or form compared with the existing financial services may be designated as innovative financial services (regulatory sandbox).

Once a service provider applies for the regulatory sandbox programme, the Financial Services Commission (the “FSC”) will review whether the service in question is eligible for designation as an innovative financial service. As part of the review process, the following factors are considered:

• innovativeness of the service;
• convenience and benefits for consumers;
• inevitability of application of regulatory exceptions; and
• stability of the financial market and financial order.

Once a company is designated as providing innovative financial services, it may engage in the innovative financial services to the extent permitted according to its designation without any separate licence or may be exempt from complying with various ongoing requirements under laws and regulations that would have been applicable in respect of licensed financial services.

The regulatory sandbox exemption period may not exceed two years, which is extendible, only once, for up to two years.

In May 2024, the FSC revised the application process for innovative financial services. Applicants previously submitted demand surveys and consulted with regulators before applying on a rolling basis. Under the new system, applications can now be submitted freely during designated quarterly windows. The new system was implemented in the second quarter of 2024.

The FSC and the Financial Supervisory Service (the “FSS”) are the two primary institutions in charge of regulatory enforcement over fintech products and services. The FSC is a government institution mainly responsible for creating financial policies. The FSS, acting as the enforcement arm of the FSC, is responsible for supervising and inspecting financial companies.

Financial regulators in Korea operate a system similar to the US “no-action” letter system, although the “letter” is referred to as a “no-action opinion”. The FSS issues a written opinion upon request, confirming in advance whether a proposed business activity or financial product would violate existing laws and be subject to regulatory sanctions. This allows firms to seek regulatory clarity before launching new services or products. Once a no-action opinion is issued, the FSS refrains from taking any legal or enforcement action contrary to the content of the opinion, unless there are exceptional circumstances.

Under the Regulations on Outsourcing of Business of Financial Institutions (the “Business Outsourcing Regulations”), financial companies such as banks, insurance companies and credit card companies are allowed to outsource their business operations, except in the following cases:

• when the work involves “essential elements” of the financial company’s business that require a licence;
• when the relevant laws and regulations require the financial company to perform the work; or
• when the outsourcing may harm the financial company’s credibility, cause financial disorder or harm financial users.

Financial companies must inform the regulator of their outsourcing at least seven business days before the start date, unless exempted under the Business Outsourcing Regulations.

The Data Processing Outsourcing Regulations may also apply to financial companies with respect to the outsourcing of data processing. A financial company is allowed to outsource its data processing, unless:

• it is prohibited by relevant laws and regulations;
• the financial company has received a warning or sanction regarding user information in the last three years; or
• the outsourcing may harm the financial company’s credibility, cause financial disorder or harm financial users.

In addition, financial companies are not permitted to outsource the processing of “uniquely identifiable information”, such as resident registration numbers, to offshore companies.

Financial companies must report the outsourcing of data processing to the regulator at least seven days before in the case of domestic companies and 30 days before in the case of offshore companies unless exempted under the relevant regulations.

Depending on the specific business model, other regulations, such as the FSCMA, may apply with respect to outsourcing.

Fintech service providers that fall under the scope of financial companies are subject to various regulations requiring them to comply with specific prescribed gatekeeper responsibilities, including suspicious transaction reporting (STR), anti-money laundering (AML) and know your customer (KYC) regulations under the AML Act. New fintech players such as VASPs and P2P lending platform operators are also considered financial companies for the purposes of these regulations.

In addition, a fintech provider can be subject to further specific obligations under the regulations applicable to the fintech provider depending on its business model, the steps it takes to prevent illegal activities and ensure cybersecurity, and the due diligence it carries out on customers’ suitability.

As the importance of anti-money laundering compliance grows, the Financial Intelligence Unit (the “FIU”) under the FSC has adopted a strict enforcement stance.

In December 2025, the FIU fined a domestic exchange approximately KRW35.2 billion for violations of KYC-related obligations. In addition, in January 2026, the FIU issued an institutional warning to another domestic exchange and imposed a fine of approximately KRW2.7 billion for violation of KYC-related obligations.

Personal data protection in Korea is governed by the PIPA. Meanwhile, the handling of credit information is regulated by the CIUPA. These laws apply to all financial institutions, including legacy players.

Financial security requirements are specifically addressed in the EFTA. The provisions of the EFTA apply to financial institutions (legacy players) and registered electronic financial business operators. However, fintech companies that operate without a financial licence are not subject to the security-related obligations under the EFTA.

As well as regulators such as the FSC, the FSS and the KRX, there are self-regulatory organisations in particular industries such as the following:

• the Korea Financial Investment Association, which was established under the FSCMA to be in charge of imposing self-regulations, registering and managing the professional workforce, conducting preliminary reviews of certain over-the-counter derivative products, and providing financial investment business-related training to protect investors and promote sound business operations among members of the Association;
• the Specialised Credit Financial Business Association, which was established under the Specialised Credit Finance Business Act and is responsible for recommending improvements to business operation methods for members, reviewing the advertisements of specialised credit financial companies, and publication and amendment of industry standard terms and conditions;
• the Insurance Association, which was established under the Insurance Business Act and is responsible for the determination of regulations on entrustment to insurance agents, the comparison and disclosure of insurance products and publication, and amendment of the rules required to be complied with by insurance companies; and

• the Digital Asset Exchange Alliance (DAXA), which is a non-statutory consultative body formed by major Korean virtual asset exchanges, operates as an industry-led self-regulatory participant, developing and applying common standards such as joint policies on the listing, trading and delisting of virtual assets, and anti-money laundering and other compliance-related policies in line with regulatory expectations.

Companies engaging in financial services under the requisite licence are usually restricted in terms of their business scope and activities. If a licensed financial service company intends to provide any unregulated products or services that do not fall within the scope of the financial licence held, the company will have to file a report in advance to the financial regulators, who have certain discretion in this matter, unless specifically permitted under the relevant regulations.

For example, there is no law regulating non-fungible tokens (NFTs), and NFT transactions can be brokered without any licence. However, for a licensed bank to provide these services, it may have to file a report in relation to it as an incidental business engaged in by the bank.

In Korea, the AML Act governs AML as described in 2.9 Gatekeeper Liability.

As these rules apply to “financial companies” as defined under the same Act, particular fintech companies, such as VASPs and P2P lending platform operators which are classified as “financial companies” under the Act, should satisfy the applicable regulations under the Act. However, unregulated fintech companies who do not fall under the scope of “financial companies” are not directly subject to the Act.

As a member of the Financial Action Task Force (the “FATF”), Korea has established its AML and countering the financing of terrorism (CFT) framework based on FATF Recommendations. These requirements are codified in the AML Act, which is the primary legislative basis for Korea’s AML/CFT regime.

Under this regime, financial institutions have to carry out key compliance measures, including KYC, STR and large cash transaction reporting.

While the concept of reverse solicitation is generally recognised in Korea, the extent of its application varies across different industries and within different sectors of the financial industry in Korea.

For example, under the FSCMA, foreign investment dealers or brokers do not have to obtain a Korean licence if they do not engage in solicitation or advertising in Korea or towards Korean residents and merely engage in dealing or brokering transactions in response to reverse enquiries initiated by Korean residents.

In contrast, most other Korean financial regulatory laws do not explicitly address reverse solicitation, and market practices regarding its interpretation differ by sector. For example, in the virtual asset sector, a foreign service provider is considered to be engaged in business or marketing activities towards Korean users if it offers a Korean-language website, conducts marketing campaigns targeting Korean users or enables Korean customers to purchase virtual assets using credit cards.

Robo-advisers must satisfy the prescribed requirements to become an “electronic investment advice device” under the FSCMA and pass a screening test. However, there is no requirement for different business models to be adopted for different asset classes.

Many traditional financial companies have developed a robo-adviser system. In addition, they are also actively implementing solutions developed by other fintech companies specialised in robo-adviser business.

Since the introduction of the robo-adviser system, the number of consumers using robo-adviser services has gradually increased.

There are currently no “best execution” obligations applicable to robo-advisers. However, a financial company utilising a robo-adviser in providing financial services owes a duty of care to its customers in the same way, generally speaking, a financial company does under the FSCMA.

Under the Financial Consumer Protection Act, financial consumers are categorised into professional financial consumers and ordinary financial consumers.

Financial companies (lenders) offering loan products to ordinary financial consumers should comply with a set of rules, such as obligations to identify a customer’s status, to refrain from offering inappropriate products or unfair terms and to explain material terms of the product offered. Individuals and small businesses with fewer than five employees are classified as ordinary financial consumers.

It should also be noted that internet-only banks may only provide loans to individuals and small and medium-sized enterprises in line with the Internet Bank Act. This restriction does not generally apply to other commercial banks.

There is no separate regulation regarding the underwriting of online lending. However, under the Lending Business Act, licensed lenders and credit financial institutions such as banks can only transfer loan receivables to registered debt collection agencies, other credit financial institutions and other entities specifically listed under the Act.

Banks take deposits from customers and use them to provide loans to borrowers, subject to specific deposit reserves and other various regulations under the Banking Act. Non-bank lenders, which are generally regulated under the Lending Business Act, may not take deposits from customers and may only use their own funds to provide loans to customers. P2P lending platforms accept cash investments from investors and utilise the amount of the investment to provide loans to borrowers, subject to certain investment cap and other regulations under the P2P Lending Act. It is not common for capital to fund online lending businesses in Korea to be raised through securitisation.

Online loan syndication is not common in Korea as banks typically syndicate loans for large-volume transactions, which does not usually proceed online.

There is no legal requirement for a payment processor to use the existing payment rails. A payment processor that starts a new business may utilise a partnership with an existing payment processor that already has an established network. However, this business practice is driven by commercial considerations rather than legal factors.

Cross-border payments and remittances are subject to the FETA.

Any person who intends to engage in a cross-border payment and remittance business has to register the business with the Ministry of Economy and Finance in advance in line with the FETA. Financial companies are generally permitted to make cross-border payments within the scope of their registered foreign exchange businesses. A registered small-amount cross-border remittance business entity may also handle cross-border payment and receipt up to a specific threshold per transaction and an annual aggregate cap.

Unless exempted by registration or other grounds, any person who engages in a cross-border capital transaction (such as lending/borrowing, raising capital and investing) may be required to file a report with the foreign exchange regulators. In addition, any person who pays or receives any amount exceeding a certain threshold to, or from, overseas may be required to submit documents as evidence.

In Korea, financial investment products are listed and traded on the KRX and the new alternative trading system (ATS). Unlisted stocks are traded on the over-the-counter trading platform.

Korea’s first ATS, Nextrade, launched on 4 March 2025. This marks the first operation of a multiple and competition-based stock trading system in the capital market in Korea.

With respect to virtual assets, approximately 28 registered VASPs are operating cryptocurrency exchanges. Virtual assets that do not constitute financial investment products are traded on these exchanges.

Financial investment products that are classified into securities (such as stocks, bonds and trust interests) and derivatives are mainly regulated by the FSCMA.

Meanwhile, virtual assets, which are electronic certificates that have an economic value and that can be traded or transferred electronically, are regulated by the VAUPA.

Financial investment service providers must obtain the relevant licences under the FSCMA. The FSCMA also prohibits insider trading, market manipulation and other unfair trading activities related to financial investment products.

When it comes to virtual assets, VASPs have to register with the financial authority. Following the enactment of the VAUPA, insider trading, market manipulation and unfair trading activities related to virtual assets are now expressly prohibited.

Although regulations for virtual assets have been introduced gradually, the regulation on the transaction of financial investment products under the FSCMA is relatively more stringent than the regulation on the transaction of virtual assets. For example, public offering or trading of listed securities is subject to various disclosure regulations and increased regulatory scrutiny.

The emergence of cryptocurrency exchanges has led to the enactment of the VAUPA, which came into effect on 19 July 2024. The VAUPA aims to protect virtual asset users and establish a sound order in the virtual asset market.

The VAUPA contains definitions of virtual assets and non-virtual assets. It authorises VASPs to keep users’ deposits and virtual assets safe and to manage them. The VAUPA also establishes legal grounds to impose penalties and sanctions on unfair trading activities, such as the use of material non-public information and market manipulation.

In terms of the listing rules for the KRX, quantitative requirements such as:

• the operating history;
• capital size;
• share distribution;
• financial requirement;
• restriction on stocks transfer;
• corporate governance; and
• accounting standards,

are reviewed during the listing approval process.

In addition, qualitative requirements such as:

• company continuity;
• management transparency; and
• investor protection,

are also considered.

In terms of the virtual asset market, each VASP has its own listing regulations and standards. The level of security, sustainability, and expertise and capability of the issuer will generally be considered primarily.

According to the standard internal control criteria for financial investment companies presented by the Korea Financial Investment Association, if a financial investment company is entrusted with the sale and purchase orders for customers, the following principles should be complied with:

• The company should handle orders in a fair way and on the basis of the principle of good faith. The company should not obtain or allow any third party to obtain benefits by harming the interests of the investors without any justifiable reasons.
• The company has a fiduciary duty of care to set up a system for taking and handling customers’ sale and purchase orders in a prompt, fair and accurate way and an internal control system for inspection and verification.
• The company should provide explanations to customers so that they can understand the methods of ordering, methods of handling and the terms and conditions of services provided, etc and allow them to independently make the relevant decisions.
• The company should receive customers’ sale and purchase orders in a fair and safe way for each method of ordering. It should also verify whether the person placing an order has the legitimate authority to make the order upon receipt of it.

Cryptocurrency exchanges are, in principle, prohibited under the AML Act from sharing order books with other cryptocurrency exchanges. The sharing of order books refers to an act of matching bid or ask prices and concluding transactions by sharing order books between cryptocurrency exchanges. However, a VASP is permitted to share order books if:

• the other party is a VASP that has obtained authorisation in Korea or another country and performs money laundering prevention obligations; and
• the VASP can verify information on the counterparty customers of the other VASP with which the customers of the VASP trade.

In terms of markets for trading financial investment products, only those authorised in line with the FSCMA, such as the KRX and ATS mentioned in 6.1 Permissible Trading Platforms, are permitted. Although interest in P2P platforms for brokerage of unlisted stocks has emerged in recent years, the compliance with laws varies depending on specific trading methods and business models.

The markets for trading virtual assets are mainly facilitated by centralised exchanges (server-client model, ie, exchanges broker investors’ transactions on virtual assets). The FSS has stated that if the operating entity controls the decentralised exchange and provides services as deposits, loans or staking of virtual assets, then these services provided by a decentralised exchange will fall within the scope of buying or selling, exchanging, transferring, safekeeping and administrating, etc of virtual assets and the VAUPA and the AML Act will apply.

There are no specific regulations on payment for order flow in Korea.

The FSCMA prohibits the use of material non-public information of a listed company for the sale and purchase of securities (insider trading). The FSCMA also prohibits market manipulation and market disturbance as well as unfair trading activities, such as utilising an unfair scheme in connection with the trading of financial investment products.

The VAUPA also prohibits the use of material non-public information of virtual assets for the sale and purchase of virtual assets (insider trading). In addition, the VAUPA prohibits market manipulation and market disturbance.

The KRX made some amendments to the Securities and Derivatives Markets Business Regulation in 2023. The aim was to improve the risk management regime of the capital market in Korea.

Under the revised Regulation, “high-speed algorithmic trade” is defined as any algorithmic trade conducted:

• by installing an exclusive ordering system owned or directly controlled by an investor at the IT (computing) centre of a KRX member; or
• as proprietary trading by a KRX member firm.

Any investor that intends to entrust a KRX member to place orders for high-speed algorithmic trading must be registered as a high-speed algorithmic trader with the KRX, and any KRX member that intends to engage in “high-speed algorithmic trade” itself must file a report as a high-speed algorithmic trader in advance. If an investor is not registered as a high-speed algorithmic trader, the KRX member must refuse to accept the “high-speed algorithmic trade” order.

Notably, different asset classes do not have different regulatory regimes.

Only licensed investment dealers or brokers are generally permitted to act as market makers under the FSCMA.

The market making system is aimed at increasing the market liquidity of a target security with poor liquidity as chosen by the KRX. A market maker enters into a market-making agreement with the KRX to continuously offer to both buy and sell the target securities. It should be noted that only KRX members that are investment dealer-brokers can become market makers.

The regulations on “high-speed algorithmic trade” by the KRX do not distinguish between funds and dealers.

There is no law or regulation that directly applies to programmers who develop and create trading algorithms and other electronic trading tools. However, they may be found guilty of being an accomplice to any act generally prohibited by the FSCMA, such as price manipulation or market disturbance depending on their specific conduct and be penalised accordingly.

Any person who wishes to sell insurance products has to be registered with the FSS as an insurance agent, insurance solicitor or insurance broker and comply with the relevant regulations under the Insurance Business Act. The sale of insurance products to customers is also governed by the Financial Consumer Protection Act, as described in 4.1 Differences in the Business or Regulation of Fiat Currency Loans Provided to Different Entities.

The underwriting processes may include gathering financial records and personal data to determine the risk profile of the customer and set insurance premiums. The use of an automated data processing method in the underwriting process is increasing, which highlights the growing importance of data protection and privacy laws.

Under the Insurance Business Act, there are three types of insurance business:

• life insurance business;
• non-life insurance business; and
• type 3 insurance business.

A person who intends to engage in insurance business has to obtain a licence from the FSC according to the types of insurance business, and the capital and fund requirements vary depending on the type of insurance business.

In principle, insurance companies are prohibited from concurrently operating a life insurance business and a non-life insurance business. However, operating both types of insurance business is allowed if it involves a parent company or its subsidiary.

While regtech has continued to develop its presence and grow in importance, there is no regulation in Korea that relates specifically to regtech providers. Regtech service providers are therefore regulated under the existing legal framework depending on their activities for now.

There is no regulation that relates to the performance and accuracy of the services of regtech providers. The contractual terms sought by financial service firms with regtech providers are usually driven by internal regulations of the financial services firms and may vary depending on the specific type of service provided by each regtech provider.

In the securities market industry, blockchain technology is currently being introduced on a gradual basis as a means of enhancing the efficiency and transparency of financial infrastructure, while maintaining the existing framework of traditional financial regulation. Financial authorities and financial institutions tend to view blockchain not as a tool to replace the existing financial order, but rather as an instrument to advance capital markets and payment and settlement systems. As a result, although its adoption remains limited, practical use cases within the institutional financial system are steadily expanding.

In the banking sector, there is significant interest in KRW-based stablecoins or token structures linked to bank deposits. This interest is largely driven by the objective of reducing costs and settlement times in cross-border remittances and inter-corporate settlements and can be understood as a strategic effort to enhance competitiveness in global payment infrastructure. Nevertheless, in anticipation of the possible passage of bills currently pending in the National Assembly, a number of banks are forming consortia to obtain stablecoin issuance licences. Banks are also interested in participating in central bank-led digital currency experiments and in limited internal settlement tokens.

In this context, the Bank of Korea has been continually advancing pilot projects relating to central bank digital currency (CBDC), through which it is testing how a digital Korean won could be integrated into the existing financial system. The Bank of Korea’s CBDC is designed less as a direct substitute for private stablecoins and more as a form of public infrastructure aimed at strengthening the stability and crisis-response capacity of the payment and settlement system. Private financial institutions, in turn, are using these experiments as an opportunity to explore potential future integration with the commercial banking system.

In the asset management business sector, interest in bitcoin exchange-traded funds (ETFs) and digital asset investments continues to grow in line with global market trends. Although the establishment and listing of spot bitcoin ETFs is not yet permitted in Korea, asset managers are gaining market exposure through indirect investment structures, such as investments in overseas-listed ETFs or in companies engaged in digital asset-related businesses. In addition, there has been a gradual increase in cases where investments in digital assets or related businesses are made through private funds targeting professional investors or through overseas special purpose vehicles. These structures may be seen as pragmatic choices for managing regulatory risks associated with price volatility, custody and valuation issues.

Securities companies regard blockchain-based tokenised securities (STOs) as a next-generation capital market infrastructure. Accordingly, they have shown strong interest in building platforms that support the issuance and distribution of STOs. The government has also made clear its policy direction of incorporating STOs into the institutional securities framework through amendments to the FSCMA and the Act on Electronic Registration of Stocks and Bonds (the “Electronic Securities Act”). Under this structure, as a key feature of the approach in blockchain adoption in Korea, blockchain is utilised as a distributed ledger technology, while the existing capital markets regulations governing the issuance, distribution and investor protection of securities continue to apply in full.

In the payments and settlements business sector, electronic payment service providers and fintech companies are reviewing blockchain-based remittance and payment structures; however, these efforts are primarily focused on improving internal settlement efficiency and automating transaction traceability. Where coins or tokens are used directly as a means of payment, there is a high likelihood of conflict with the EFTA, foreign exchange regulations and anti-money laundering requirements. As a result, in practice, the prevailing approach is to maintain structures similar to existing payment methods while utilising blockchain technology in the backend.

Regulatory authorities in Korea are encouraging innovation through the utilisation of blockchain technology. The Korea Internet & Security Agency (the “KISA”) specifically, under the guidance of the Ministry of Science and ICT, is looking to promote the enactment of a draft Blockchain Basic Act to expand the adoption of blockchain and support the development of the industry in the country. As part of this initiative, it is conducting research on blockchain-related technologies, including distributed ledger technology, evaluation standards for decentralised identifiers and providing legal force to smart contracts, and preparing a bill to promote blockchain technology and related industry.

Meanwhile, to issue security tokens in Korea, amendments to the FSCMA and the Electronic Securities Act are needed. Amendments to both Acts have recently been passed with the goal of institutionalising the STO and fractional investment markets, and are scheduled to take effect in January 2027. However, discussions regarding STOs in Korea are currently centred primarily on investment contract securities and beneficiary certificates issued by trust companies. With respect to the tokenisation of traditional securities such as shares or bonds, supervisory authorities are taking a notably cautious approach.

Investment contract securities are considered suitable for the initial stage of STO implementation because the content of rights can be structured with greater contractual flexibility, and blockchain-based experimentation can be conducted without requiring significant changes to existing securities market infrastructure. By contrast, shares and bonds already operate under a well-established electronic securities system encompassing issuance, custody, settlement, exercise of rights, and disclosure. As a result, transitioning these instruments to a blockchain-based structure raises substantial concerns regarding market stability and investor protection. For these reasons, supervisory authorities are understood to favour a gradual approach – introducing STOs first in relation to investment contract securities and beneficiary certificates issued by trust companies, and only thereafter considering whether to expand STOs to shares or bonds based on market developments and regulatory experience.

In addition, several blockchain-based services are exempt from specific regulations through the financial regulatory sandbox programme.

However, the financial regulatory authorities distinguish between the blockchain technology and virtual assets, and are taking a reserved and restrictive approach to the virtual asset industry.

The VAUPA and the AML Act define virtual assets as electronic certificates that have an economic value and can be traded or transferred electronically (except for electronic currency and electronic prepayment means, etc), and blockchain assets that satisfy these requirements will be classified as virtual assets.

There are no other financial laws or regulations that specifically regulate blockchain assets. However, depending on its specific nature, a blockchain asset may be classified as a financial instrument and be regulated under the existing legal framework.

For example, any blockchain asset that satisfies the definition of “securities” under the FSCMA may be classified as a security and the regulations applicable to a security or any blockchain asset will apply. The security will also have to satisfy the requirements for electronic prepayment means and may have to be classified as an electronic prepayment instrument. In addition, the security will have to follow the applicable regulations. However, since electronic prepayment means require a centralised issuer, blockchain assets are unlikely to fall under this category.

The Korean government announced the prohibition of initial coin offerings in 2017 and has kept this position to date. It is therefore a fact that issuing any blockchain assets that constitute virtual assets in Korea is not allowed. However, the government is planning to permit the issuance of security tokens in accordance with amended STO laws and regulations, and is expected to permit the issuing of virtual assets as well once the laws allowing issuance of virtual assets are enacted.

At present, a total of five legislative bills have been proposed as basic framework laws relating to digital assets, and each of these bills provides for the regulation of the business of issuing digital assets and, with respect to the issuance of stablecoins, introduces a licensing regime requiring issuers to meet a minimum capital threshold.

Under the AML Act, a person who intends to engage in the sale, exchange and brokerage of virtual assets as a business is required to register as a VASP. The obligation to register as a VASP under the Financial Information Transaction Act was mainly established to impose AML obligations on VASPs. Most of the obligations imposed on VASPs under the Financial Information Transaction Act therefore relate to the AML regime. Meanwhile, several bills aimed at introducing a new VASP licensing framework are currently pending before the National Assembly. One of these bills proposes to impose on virtual asset exchanges that broker virtual asset transactions an obligation to maintain fairness in the listing of virtual assets. Another bill would require exchanges, when deciding on the listing or delisting of virtual assets, to obtain the opinion of a transaction support eligibility review committee that is structurally independent from the exchange itself.

In light of these legislative developments, it is anticipated that the overall obligations of asset trading platforms to support fair virtual asset listings and transaction intermediation will be further strengthened going forward. Accordingly, it will be necessary to continue closely monitoring the legislative progress of these bills.

Staking services are not prohibited under Korean law. However, under the VAUPA, a staking service provider must retain actual possession of the virtual assets entrusted to them by users. Providers may therefore only offer staking services they operate and take custody directly rather than outsourcing these activities to third parties. In addition, if a provider takes custody of users’ virtual assets, it is required to obtain a virtual asset custody service licence for these activities.

Lending services relating to cryptocurrencies are not prohibited or restricted under Korean law. The financial authorities have interpreted that virtual assets do not fall within the scope of “money or the like”, which is subject to regulation under the Lending Business Act.

As the value of virtual assets has risen in recent years, there has been growing interest in lending structures in which virtual assets are provided as collateral. At present, there are no regulations that expressly prohibit the creation of security interests over virtual assets. However, depending on the specific method by which collateral is established and enforced, a VASP licence may be required. For example, where a lender takes custody of virtual assets entrusted to it by a borrower and, upon satisfaction of enforcement conditions, acquires ownership of those assets, such structure may constitute the custody of entrusted virtual assets and therefore require a virtual asset custody service licence as a VASP.

Derivatives with virtual assets as underlying assets are currently prohibited under the policies of the Korean financial authorities. Virtual asset exchanges in Korea do not therefore offer products such as futures or options based on virtual assets. While traditional securities exchanges recognise particular qualified entities as market makers or liquidity providers, these roles are not recognised in the context of virtual assets.

There is no clear legislation that defines or regulates decentralised finance (DeFi). It therefore remains uncertain whether one can avoid virtual asset-related regulations on the basis that a service qualifies as DeFi. However, the VAUPA and the AML Act apply to entities that conduct virtual asset-related activities as a business. If a particular entity continuously and repeatedly derives profit, such as by receiving a particular form of revenue, including fees, regardless of its structure, that entity may be subject to regulation under these laws, even if the service is operated under the name of DeFi.

Conversely, if there is only a protocol in place and no specific entity exercises control or significant influence over its operation nor engages in the continuous and repeated pursuit of profit, the protocol or any related entity is unlikely to be subject to regulation under these laws.

The financial supervisory authorities are currently largely against investment in virtual assets by funds established by domestic collective investment business entities. This is because virtual assets are not considered eligible investment targets under the FSCMA, and given consideration to these circumstances, funds established onshore do not invest in virtual assets. They are instead known to invest in blockchain assets indirectly by investing in the companies that own the blockchain technology.

The FSC specifically prohibits the issuance of spot bitcoin ETFs and the brokerage of overseas spot bitcoin ETFs. This is because these activities could be considered to be inconsistent with the government’s established position and may violate the FSCMA. However, overseas bitcoin futures ETFs are permitted.

Under the existing legal framework, there is no clear definition of virtual currency. However, in the market it refers to blockchain assets that function as means of payment in general.

In terms of virtual assets, the VAUPA defines virtual assets as electronic certificates that have economic value and that can be traded or transferred electronically except for the following:

• electronic certificates that cannot be exchanged for money, goods or services, etc or if, as part of information about the certificate, the place and purpose of the use of the certificates are restricted by the issuer;
• products obtained through gaming services or products;
• electronic prepayment means and electronic currency; and
• electronically registered stocks, electronic bills, electronic bills of lading and electronic forms of currency and related services.

The majority of blockchain assets are likely to satisfy this definition of virtual assets and there will therefore not be many differences between the treatment of virtual assets and blockchain assets.

Under the current legal framework, payments using virtual assets, such as stablecoins, are, in practice, not permitted due to gaps and inconsistencies in the existing legislation and regulatory regimes governing virtual assets, electronic financial transactions and foreign exchange transactions. In particular, with respect to whether virtual assets may be used as funding sources for electronic prepaid payment instruments, such instruments are, under the EFTA, in principle issued, funded and redeemed on the assumption of money or other assets of similarly stable value. Given that virtual assets exhibit significant price volatility, lack the status of legal tender and pose heightened risks from the perspectives of anti-money laundering and consumer protection, they are generally understood not to qualify as permissible funding sources.

Moreover, if virtual assets were permitted to be used as funding sources, electronic prepaid payment instruments could effectively function as channels for the circulation and settlement of virtual assets, raising concerns that the regulatory frameworks of the EFTA and the AML Act could be circumvented.

The FSC has issued guidelines for determining whether NFTs qualify as virtual assets. Under these guidelines, NFTs must be assessed first to determine whether they constitute “securities” under the FSCMA. If they do not, the next step is to determine whether they fall under the category of “virtual assets” as defined in the VAUPA.

Regardless of their form or underlying technology, if the rights acquired by the investor are considered to constitute securities under the FSCMA, the FSCMA will apply.

If an NFT does not qualify as a security under the FSCMA, it must then be determined whether it qualifies as a virtual asset. In making this determination, the following factors are considered:

• whether the NFT is issued in large quantities or as part of a large-scale series and is highly interchangeable;
• whether it is divisible, thereby significantly reducing its uniqueness;
• whether it can be used, directly or indirectly, as a means of payment for specific goods or services; and
• whether it can be exchanged between unspecified parties for virtual assets or used in connection with other virtual assets for the payment of goods or services.

If any of these criteria are met, the NFT will be regulated under the VAUPA as a virtual asset.

In Korea, there is not yet a single, comprehensive law in force that fully regulates stablecoins. However, alongside ongoing discussions on expanding the regulatory framework for virtual assets in stages, significant policy debate is taking place among the Bank of Korea, financial regulators and the private sector, particularly with respect to qualification of issuer of stablecoins.

From a legislative perspective, the VAUPA currently in force focuses primarily on the regulation of virtual asset exchanges and the protection of users and does not directly regulate the issuance structure of stablecoins. Accordingly, the National Assembly and the government are discussing follow-up legislation – often referred to as the “second-phase virtual asset legislation” – that would comprehensively regulate the issuance and distribution of digital assets, including stablecoins, as well as requirements relating to reserve assets. In this process, stablecoins are being treated not merely as virtual assets, but as instruments that may in practice function as means of payment or money-like instruments. As a result, consistency with existing financial laws, such as the EFTA, FSMCA and FETA, has emerged as a key issue. In particular, with respect to KRW-pegged stablecoins, there is a growing consensus that matters such as the composition of reserve assets for at least 100% of issuance amount, the guarantee of redemption rights, management of outstanding issuance amounts, and user protection mechanisms must be clearly prescribed by law.

In this regard, the Bank of Korea has maintained a relatively clear and consistent position on stablecoins. The Bank of Korea has expressed concern that the widespread use of KRW-linked stablecoins could undermine the effectiveness of monetary policy, weaken the stability of the payment and settlement system, and give rise to systemic risks in times of financial stress due to large-scale redemption demands (bank run). For these reasons, the Bank of Korea has taken the position that issuers of KRW-based stablecoins should, in principle, be limited to the central bank or, at a minimum, to strictly licensed financial institutions such as banks. Furthermore, it has advanced the view that CBDC, rather than private stablecoins, represents a more desirable alternative.

By contrast, participants in the financial industry and the fintech sector, and certain policy experts, have argued that restricting stablecoin issuance solely to the central bank or to banks could cause Korea to fall behind in terms of technological innovation and global competitiveness. In particular, in the areas of global payments, on-chain finance and the digital asset ecosystem, privately non-bank USD-based issued stablecoins are already functioning as de facto standards. From this perspective, overly restrictive limits on issuers could unnecessarily constrain the growth potential of the domestic industry. It has also been suggested that, subject to robust reserve asset requirements, strict disclosure and supervisory oversight, and clear redemption obligations, issuance could be permitted for non-bank financial institutions or fintech companies that satisfy prescribed criteria.

As noted above, the legislative bills currently pending provide for a licensing regime under which stablecoin issuers must meet a minimum capital requirement. Accordingly, it will be necessary to continue closely monitoring how the legislative framework for stablecoins ultimately takes shape.

Open banking is currently operated in line with the rules of the Korea Financial Telecommunications and Clearings Institute (the “KFTC”).

Fintech service providers that have executed an agreement for the use of open banking with the KFTC and financial institutions participating in open banking (“Institutions Using Open Banking”) may in general expeditiously and easily launch various fintech services by utilising open application programming interfaces and testbeds to integrate new IT technology into existing financial services.

However:

• “withdrawal agency services” in which Institutions Using Open Banking make withdrawals acting as agent, or resell the right to withdraw thereto, with a user’s consent to withdrawal obtained through a third party; and
• “payment services” in which Institutions Using Open Banking collect a certain amount on a regular and repeated basis in return for the goods or services that they provide to a user,

are excluded from using open banking.

Any company likely to engage in an act that may disturb the financial order or cause harm to consumers may also not be permitted to use open banking.

Institutions Using Open Banking should manage the personal information of users or recipients obtained in connection with the open banking business in a way that prevents any unauthorised disclosure and, unless the subject of the information provides consent, may not use the information for any other purposes than the intended business purposes.

If an incident happens because this privacy requirement is violated, the Institution Using Open Banking should indemnify the relevant user or third party for any damages incurred by it in the absence of any special circumstances to be considered.

In this respect, Institutions Using Open Banking must thoroughly prepare to prevent any breach of personal information by putting procedures in place for the protection of personal credit information as required by the relevant laws, including the PIPA and the CIUPA.

Fraud is primarily regulated under the Criminal Act as a criminal offence. The elements of fraud are generally categorised as follows:

• fraudulent conduct;
• causing a mistake;
• a dispossession act;
• a causal relationship between the fraudulent conduct and the mistake as well as between the mistake and the dispossession act;
• acquisition of property benefit; and
• occurrence of property damage.

In addition, specific types of fraud are regulated under specialised laws. For example, the Specialised Credit Finance Business Act regulates the act of forging or altering credit cards or using or selling forged or altered credit cards. In these cases, the elements related to the forgery or alteration of the credit card must be met for the offence to apply. Similarly, the EFTA regulates acts involving means of access.

Regulatory authorities monitor various types of fraud, including:

• electronic communications financial fraud (such as phishing, smishing and pharming);
• authorised push payment fraud;
• illegal loan fraud; and
• cryptocurrency-related fraud (eg, market manipulation).

Special attention is given to monitoring electronic communications financial fraud that involves the leaking of personal information.

Under the EFTA, financial institutions and electronic financial service providers  are liable for compensating customers for all damages arising in the following cases:

• accidents caused by the forgery or alteration of means of access;
• accidents arising from the electronic transmission or processing of contract formation or transaction instructions; and
• accidents resulting from the use of means of access obtained through false or fraudulent means by intruding into electronic devices or information communication networks for electronic financial transactions.

However, an electronic financial service provider may have a defence if it can prove that the customer acted with intent or gross negligence; and if an agreement was made with the customer in advance regarding the customer bearing partial responsibility for damages in these cases or if due diligence was sufficiently performed for corporate clients, the customer may bear all or part of the responsibility for any such damages.